On July 30, 2025, WinRAR released a new version (7.13 Final) to patch a vulnerability which was used in two separate malware campaigns. WinRAR is a popular file archiving and data compression tool that allows users to compress files into smaller archives, like RAR and ZIP, and can also unpack various archive formats.
The vulnerability, tracked as CVE-2025-8088, is a path traversal flaw that affects the Windows version of WinRAR and allows the attackers to execute arbitrary code by crafting malicious archive files.
A path traversal vulnerability, also known as a directory traversal vulnerability, is a type of security flaw that allows attackers to access files and directories they should not be able to reach. They typically occur in web applications but can affect any software that handles file paths.
In one campaign, attributed to Russia-aligned group RomCom, the vulnerability was used to drop files in folders other than those stipulated by the user. This allowed cybercriminals to drop files in startup folders and other important areas of the Operating System (OS).
The RomCom attackers used the vulnerability from July 18 – 21 against financial, manufacturing, defense, and logistics companies in Europe and Canada. The malicious archives were sent out in phishing campaigns where the attackers posed as job applicants and sent their resumes as attachments.
Another group called Paper Werewolf used the same vulnerability to target Russian organizations. In early July, researchers discovered this activity in targeted phishing campaigns. The attackers posed as employees of a Russian research institute and attached a letter supposedly from one of the ministries.
At the time, the vulnerability was still a zero-day. Now that a patch is available and more details have emerged, other cybercriminals will almost certainly try to weaponize the same vulnerability, possibly by including malware in online downloads.
Therefore, users of WinRAR are under advice to install the latest version as soon as possible. To check the version of WinRAR you have installed, open WinRAR and navigate to Help > About WinRAR. This will display a window showing the version number and other details.
Stay safe
Some guidelines to stay safe from these types of malware campaigns:
- Keep your software and devices up to date.
- Use an up-to-date, real-time anti-malware solution, preferably with a web protection component.
- Only download software from trusted places, such as the vendor’s website.
- Don’t open unsolicited attachments. If an attachment arrives unexpectedly, verify its legitimacy through a different channel before opening it.
- Be cautious around files from unknown or untrusted sources.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.